Drmingler

**Name of the Vulnerable Software and Affected Versions** dalfox versions prior to 2.12.0 **Description** When running in REST API server mode (`dalfox server`), the software binds to `0.0.0.0:6664` by default without requiring authentication. An unauthenticated attacker can send a request to the '/scan' endpoint providing arbitrary values for the `found-action` and `found-action-shell` variables. These values are deserialized and passed to the `foundAction()` function, which executes them via `exec.Command` whenever a scan finding is triggered. By hosting a reflective server to guarantee a finding, an attacker can achieve full remote code execution on the host system. **Recommendations** For versions prior to 2.12.0, ensure the server is started with the `--api-key` flag to enable mandatory authentication. As a temporary mitigation, restrict network access to the server port (default 6664) to trusted sources only. Avoid using the `found-action` and `found-action-shell` variables in API requests.

**Name of the Vulnerable Software and Affected Versions** Dalfox versions prior to 2.13.0 **Description** When running in REST API server mode, the software fails to sanitize the `custom-payload-file` field within `model.Options`, which is deserialized directly from the request body and passed to the `dalfox.Initialize` function and the scan engine. The engine utilizes the `voltFile.ReadLinesOrLiteral()` function to read lines from any file path accessible to the process and embeds them as XSS payloads in outbound HTTP requests sent to a target URL controlled by the attacker. Since the server does not require an API key by default, an unauthenticated network attacker can exfiltrate the contents of arbitrary files from the host system line-by-line through scan traffic. **Recommendations** Update to version 2.13.0. As a temporary mitigation, restrict access to the `custom-payload-file` field by stripping filesystem-dangerous fields from API-sourced requests. Ensure the server is started with a mandatory `--api-key` to prevent unauthenticated access.

**Name of the Vulnerable Software and Affected Versions** Dalfox versions prior to 2.13.0 **Description** When running in REST API server mode, the software fails to sanitize certain fields in the request body, allowing an unauthenticated network caller to create or append to any file writable by the process on the host filesystem. The issue occurs because the `output`, `output-all`, and `debug` fields in `model.Options` are deserialized directly from the request and passed to the scan engine's logging path. The logging function `DalLog()` opens the attacker-supplied path using `os.O APPEND|os.O CREATE|os.O WRONLY` and writes log lines to it, bypassing the `IsLibrary` guard intended to prevent file output in server mode. By default, no API key is required, enabling this unauthorized file manipulation. **Recommendations** Update to version 2.13.0. As a temporary mitigation, restrict access to the REST API server or ensure it is not exposed to untrusted networks. Require the use of an API key by providing the `--api-key` flag at server startup to eliminate unauthenticated access.